Merge branch 'for_firewall_bbf' into 'devel'

firewallmngr: add Device.Firewall and Device.NAT as micro service See merge request !1

Merge branch 'for_firewall_bbf' into 'devel'
4dd17bab · Rahul Thakur · ddebd86f · 1d166986 · 4dd17bab · 4dd17bab
Commit 4dd17bab authored 1 year ago by Rahul Thakur
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
+include:
+  - project: 'iopsys/gitlab-ci-pipeline'
+    file: '/static-code-analysis.yml'
+    ref: '0.31'
+
+stages:
+    - static_code_analysis
+
+variables:
+  DEBUG: 'TRUE'
+  SOURCE_FOLDER: "./src"
+  FLAWFINDER_OPTIONS: "-m 4 --error-level=5"
+  CPPCHECK_OPTIONS: "--enable=all --error-exitcode=1"
+  COMPILE: "./gitlab-ci/compile.sh"
+
--- a/README.md
+++ b/README.md
+# Firewall Manager
+
+This package contains code for the Device.Firewall. and Device.NAT. objects.
+
+## Dependencies
+
+- For both the Firewall and NAT objects, UCI file *firewall* is being used (package firewall).
--- a/docs/.pages
+++ b/docs/.pages
+title: "FIREWALLMNGR"
+
+nav:
+    - "arch"
+    - "api"
+    - "spec"
+    - "guide"
+    - "..."
--- a/docs/api/.pages
+++ b/docs/api/.pages
+title: "FIREWALLMNGR"
+
+nav:
+    - "ubus"
+    - "uci"
+    - "..."
--- a/docs/api/ubus/.pages
+++ b/docs/api/ubus/.pages
+title: "FIREWALLMNGR"
+
+nav:
+    - "..."
--- a/docs/api/uci/.pages
+++ b/docs/api/uci/.pages
+title: "FIREWALLMNGR"
+
+nav:
+    - "..."
--- a/docs/arch/.pages
+++ b/docs/arch/.pages
+title: "FIREWALLMNGR"
+hide: true
--- a/docs/guide/.pages
+++ b/docs/guide/.pages
+title: "FIREWALLMNGR"
+
+nav:
+    - "..."
--- a/docs/guide/libbbfdm_Firewall.md
+++ b/docs/guide/libbbfdm_Firewall.md
+# TR181 Firewall datamodel mapping
+
+Aim of this document is to explain the TR181 firewall datamodel parameter mappings with firewall and network uci.
+
+In TR-181 firewall definition, we have Device.Firewall.Level., Deivce.Firewall.Chain. and Firewall.Chain.{i}.Rules., which does not have one to one mapping with firewall uci sections.
+
+So for each new network interface created by libbbf, a new firewall uci zone will be created as follow:
+- Create a Network interface section
+- Create a Firewall zone section corresponding to the Interface section in the network uci file
+- Give it the same name as the interface section in the network uci file.
+- Set the default firewall zone value of input/output/forward to ACCEPT/ACCEPT/ACCEPT for all bridge interface and REJECT/ACCEPT/REJECT for all non bridge interfaces
+
+So basically, if the network uci has this section for an interface
+```bash
+config interface ‘iptv’
+    option device ‘ethx.y’
+    option proto ‘dhcp’
+```
+
+Then below zone gets created by libbbf in firewall uci:
+```bash
+config zone ‘iptv’
+    option network ‘iptv’
+    option input ‘REJECT’
+    option output ‘ACCEPT’
+    option forward ‘REJECT’
+```
+
+Further, Per interface default policy can be configured by adding a rule in chain for each direction. So, if its required to have ACCEPT policy for input direction, then specify a rule as Chain.1.Rule.x.SourceInterface = Device.IP.Interface.3 and Rule.x.Target = ACCEPT and this result into corresponding firewall uci which does the same.
+
+```bash
+config rule ‘x’
+    option src ‘iptv’
+    option target ‘ACCEPT’
+```
+
+> Note: when trying to define a rule as Chain.1.Rule.x.SourceInterface = Device.IP.Interface.x and the zone for this interface (Device.IP.Interface.x) doesn't exist in the firewall uci file so, a new firewall zone section corresponding to this interface section will be created.
+
+Similarly, to configure firewall rules for each interfaces, add rule objects in Device.Firewall.Chain.{i}.Rule.{i}. table to the existing Device.Firewall.Chain.{i}. in the order in which they should be applied.
+
+# Limitations
+- Multiple Device.Firewall.Level.{i}. objects are not supported
+- Multiple Device.Firewall.Chain.{i}. objects are not supported
+- Device.Firewall.Chain.{i}.Rule.{i}.TargetChain not supported
+- Device.Firewall.Chain.{i}.Rule.{i}.Order not supported, firewall rule applied in the order in which they are created, lower index rule has higher priority.
+- Device.Firewall.Config only supports 'Advanced' mode
+
+# How Device.Firewall.Chain.{i}.Rule.{i}. Object handles the Protocol parameter:
+
+For Firewall rule sections, if the protocol(proto option) is not defined or if there are multiple protocols defined in the rule like proto='tcp udp' then in those cases the 'Device.Firewall.Chain.{i}.Rule.{i}.Protocol' parameter will have as value '255' which is reserved in the protocol specification.
+
+# References
+1. [Firewall uci](https://openwrt.org/docs/guide-user/firewall/firewall_configuration)
+2. [Network uci](https://openwrt.org/docs/guide-user/base-system/basic-networking)
--- a/docs/spec/.pages
+++ b/docs/spec/.pages
+title: "FIREWALLMNGR"
+hide: true
--- a/gitlab-ci/compile.sh
+++ b/gitlab-ci/compile.sh
+#!/bin/bash
+
+echo "Install dependencies"
+orig_dir=$(pwd)
+echo $orig_dir
+
+source ./gitlab-ci/shared.sh
+
+# install bbfdm
+install_bbfdm
+
+# compile
+set -e
+echo "build stage"
+cd $orig_dir/src/
+pwd
+# just the existence of macro INCLUDE_PORT_TRIGGER is checked in code
+make CFLAGS='-DINCLUDE_PORT_TRIGGER=\"yes\"'
--- a/gitlab-ci/shared.sh
+++ b/gitlab-ci/shared.sh
+#!/bin/bash
+
+function exec_cmd()
+{
+	echo "executing $@"
+	$@ >/dev/null 2>&1
+
+	if [ $? -ne 0 ]; then
+		echo "Failed to execute $@"
+		exit 1
+	fi
+}
+
+function install_bbfdm()
+{
+	[ -d "/opt/dev/bbfdm" ] && rm -rf /opt/dev/bbfdm
+
+	if [ -n "${BBFDM_BRANCH}" ]; then
+		exec_cmd git clone -b ${BBFDM_BRANCH} https://dev.iopsys.eu/bbf/bbfdm.git /opt/dev/bbfdm
+	else
+		exec_cmd git clone https://dev.iopsys.eu/bbf/bbfdm.git /opt/dev/bbfdm
+	fi
+
+	cd /opt/dev/bbfdm
+	./gitlab-ci/install-dependencies.sh install
+	./gitlab-ci/setup.sh install
+}
--- a/src/Makefile
+++ b/src/Makefile
+LIB = libfirewallmngr.so
+
+# if filter does not return empty when searching for -DINCLUDE_PORT_TRIGGER
+# then include nat_porttrigger.o
+# else
+# do not include nat_porttrigger.o
+ifneq (,$(filter -DINCLUDE_PORT_TRIGGER, $(CFLAGS)))
+LIB_OBJS = firewallmngr.o firewall.o nat.o nat_porttrigger.o
+else
+LIB_OBJS = firewallmngr.o firewall.o nat.o
+endif
+
+PROG_CFLAGS = $(CFLAGS) -Wall -Werror -fPIC
+LIB_LDFLAGS = $(LDFLAGS)
+
+%.o: %.c
+	$(CC) $(PROG_CFLAGS) -c -o $@ $<
+
+all: $(LIB)
+
+$(LIB): $(LIB_OBJS)
+	$(CC) $(PROG_CFLAGS) -shared -o $@ $^ $(LIB_LDFLAGS)
+
+clean:
+	rm -f *.o $(LIB)
--- a/src/firewall.c
+++ b/src/firewall.c
--- a/src/firewall.h
+++ b/src/firewall.h
+/*
+ * Copyright (C) 2024 iopsys Software Solutions AB
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License version 2.1
+ * as published by the Free Software Foundation
+ *
+ *      Author: Omar Kallel <omar.kallel@pivasoftware.com>
+ */
+
+#ifndef _FIREWALL_H
+#define _FIREWALL_H
+
+#include "libbbfdm-api/dmcommon.h"
+
+extern DMOBJ tFirewallObj[];
+extern DMLEAF tFirewallParams[];
+extern DMLEAF tFirewallLevelParams[];
+extern DMLEAF tFirewallChainParams[];
+extern DMOBJ tFirewallChainObj[];
+extern DMLEAF tFirewallChainRuleParams[];
+extern DMLEAF tFirewallDMZParams[];
+extern DMLEAF tFirewallServiceParams[];
+
+#endif
--- a/src/firewallmngr.c
+++ b/src/firewallmngr.c
+/*
+ * Copyright (C) 2024 iopsys Software Solutions AB
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License version 2.1
+ * as published by the Free Software Foundation
+ *
+ *	  Author Amin Ben Ramdhane <amin.benramdhane@pivasoftware.com>
+ *
+ */
+
+#include "firewallmngr.h"
+
+DMOBJ tFirewallObjs[] = {
+/* OBJ, permission, addobj, delobj, checkdep, browseinstobj, nextdynamicobj, dynamicleaf, nextobj, leaf, linker, bbfdm_type, uniqueKeys*/
+{"NAT", &DMREAD, NULL, NULL, "file:/etc/config/firewall", NULL, NULL, NULL, tNATObj, tNATParams, NULL, BBFDM_BOTH, NULL},
+{"Firewall", &DMREAD, NULL, NULL, "file:/etc/config/firewall", NULL, NULL, NULL, tFirewallObj, tFirewallParams, NULL, BBFDM_BOTH, NULL},
+{0}
+};
+
+/* ********** DynamicObj ********** */
+DM_MAP_OBJ tDynamicObj[] = {
+/* parentobj, nextobject, parameter */
+{"Device.", tFirewallObjs, NULL},
+{0}
+};
--- a/src/firewallmngr.h
+++ b/src/firewallmngr.h
+/*
+ * Copyright (C) 2024 iopsys Software Solutions AB
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License version 2.1
+ * as published by the Free Software Foundation
+ *
+ *		Author: Anis Ellouze <anis.ellouze@pivasoftware.com>
+ *		Author: Omar Kallel <omar.kallel@pivasoftware.com>
+ *		Author: Amin Ben Ramdhane <amin.benramdhane@pivasoftware.com>
+ *		Author: Imen BHIRI <imen.bhiri@pivasoftware.com>
+ *		Author: Amit Kumar <amit.kumar@iopsys.eu>
+ *
+ */
+
+#ifndef __FIREWALLMNGR_H
+#define __FIREWALLMNGR_H
+
+#include "libbbfdm-api/dmcommon.h"
+#include "firewall.h"
+#include "nat.h"
+
+extern DMOBJ tFirewallObjs[];
+
+#endif
--- a/src/nat.c
+++ b/src/nat.c
--- a/src/nat.h
+++ b/src/nat.h
+/*
+ * Copyright (C) 2024 iopsys Software Solutions AB
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License version 2.1
+ * as published by the Free Software Foundation
+ *
+ *	Author: Imen BHIRI <imen.bhiri@pivasoftware.com>
+ *	Author: Amin Ben Ramdhane <amin.benramdhane@pivasoftware.com>
+ *
+ */
+
+#ifndef __NAT_H
+#define __NAT_H
+
+#include "libbbfdm-api/dmcommon.h"
+
+extern DMOBJ tNATObj[];
+extern DMLEAF tNATParams[];
+extern DMLEAF tNATInterfaceSettingParams[];
+extern DMLEAF tNATPortMappingParams[];
+
+#endif
--- a/src/nat_porttrigger.c
+++ b/src/nat_porttrigger.c
+/*
+ * Copyright (C) 2024 iopsys Software Solutions AB
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License version 2.1
+ * as published by the Free Software Foundation
+ *
+ *	Author: Amit Kumar <amit.kumar@iopsys.eu>
+ *
+ */
+
+#include "libbbfdm-api/dmcommon.h"
+
+/*************************************************************
+* ENTRY METHOD
+**************************************************************/
+
+/*#Device.NAT.PortTrigger.{i}.!UCI:port-trigger/port_trigger/dmmap_port_trigger*/
+int browseNATPortTriggerInst(struct dmctx *dmctx, DMNODE *parent_node, void *prev_data, char *prev_instance)
+{
+	int inst = 0;
+	struct uci_section *p = NULL;
+	struct dm_data data = {0};
+	char *name = NULL;
+	char *buf = NULL;
+
+	uci_foreach_sections("port-trigger", "port_trigger", p) {
+		dmuci_get_section_name(section_name(p),&name);
+		if (name) {
+			sscanf(name, "port_trigger_%d",&inst);
+			if (inst == 0) {
+				continue;
+			}
+			dmasprintf(&buf, "%d", inst);
+			data.config_section = p;
+			if (DM_LINK_INST_OBJ(dmctx, parent_node, (void *)&data, buf) == DM_STOP)
+				break;
+		}
+	}
+
+	return 0;
+}
+
+static int browseNATPortTriggerRuleInst(struct dmctx *dmctx, DMNODE *parent_node, void *prev_data, char *prev_instance)
+{
+        struct uci_section *p = NULL;
+	struct dm_data data = {0};
+	int inst = 0;
+	int ptg_inst = 0;
+	char *name = NULL;
+	char *buf = NULL;
+	int parent_inst = 0;
+	parent_inst = atoi(prev_instance);
+
+	uci_foreach_sections("port-trigger", "rule", p) {
+		dmuci_get_section_name(section_name(p),&name);
+		if (name) {
+			sscanf(name, "port_trigger_%d_rule_%d",&ptg_inst,&inst);
+			if ((inst == 0) || (ptg_inst != parent_inst))
+				continue;
+			dmasprintf(&buf, "%d", inst);
+			data.config_section = p;
+			if (DM_LINK_INST_OBJ(dmctx, parent_node, (void *)&data, buf) == DM_STOP)
+				break;
+		}
+	}
+        return 0;
+}
+
+/*************************************************************
+* ADD & DEL OBJ
+**************************************************************/
+int addObjNATPortTrigger(char *refparam, struct dmctx *ctx, void *data, char **instance)
+{
+	struct uci_section *s = NULL;
+	char port_trigger_name[16] = {0};
+	char name[16] = {0};
+
+	snprintf(port_trigger_name, sizeof(port_trigger_name), "port_trigger_%s", *instance);
+	snprintf(name, sizeof(name), "trigger_%s", *instance);
+
+	dmuci_add_section("port-trigger", "port_trigger", &s);
+	dmuci_rename_section_by_section(s, port_trigger_name);
+	dmuci_set_value_by_section(s, "name", name);
+
+	return 0;
+}
+
+int delObjNATPortTrigger(char *refparam, struct dmctx *ctx, void *data, char *instance, unsigned char del_action)
+{
+	struct uci_section *s = NULL, *stmp = NULL;
+	char *name;
+
+	switch (del_action) {
+		case DEL_INST:
+			dmuci_get_value_by_section_string(((struct dm_data *)data)->config_section, "name", &name);
+			uci_foreach_option_eq_safe("port-trigger", "rule", "port_trigger", name, stmp, s) {
+                                dmuci_delete_by_section(s, NULL, NULL);
+                        }
+
+			dmuci_delete_by_section(((struct dm_data *)data)->config_section, NULL, NULL);
+			break;
+		case DEL_ALL:
+			uci_foreach_sections_safe("port-trigger", "port_trigger", stmp, s) {
+
+				dmuci_delete_by_section(s, NULL, NULL);
+			}
+			uci_foreach_sections_safe("port-trigger", "rule", stmp, s) {
+
+				dmuci_delete_by_section(s, NULL, NULL);
+			}
+			break;
+	}
+	return 0;
+}
+
+static int addObjNATPortTriggerRule(char *refparam, struct dmctx *ctx, void *data, char **instance)
+{
+        struct uci_section *port_trigger = ((struct dm_data *)data)->config_section;
+        struct uci_section *s = NULL;
+        char s_name[50] = {0};
+	char *name = NULL;
+
+        snprintf(s_name, sizeof(s_name), "%s_rule_%s", section_name(port_trigger),*instance);
+
+	dmuci_add_section("port-trigger", "rule", &s);
+        dmuci_rename_section_by_section(s, s_name);
+	dmuci_get_value_by_section_string(((struct dm_data *)data)->config_section, "name", &name);
+	dmuci_set_value_by_section(s, "port_trigger", name);
+
+        return 0;
+}
+
+static int delObjNATPortTriggerRule(char *refparam, struct dmctx *ctx, void *data, char *instance, unsigned char del_action)
+{
+	struct uci_section *s = NULL, *stmp = NULL;
+	char *name;
+
+	switch (del_action) {
+		case DEL_INST:
+			dmuci_delete_by_section(((struct dm_data *)data)->config_section, NULL, NULL);
+			break;
+		case DEL_ALL:
+			dmuci_get_value_by_section_string(((struct dm_data *)data)->config_section, "name", &name);
+                        uci_foreach_option_eq_safe("port-trigger", "rule", "port_trigger", name, stmp, s) {
+                                dmuci_delete_by_section(s, NULL, NULL);
+                        }
+			break;
+	}
+	return 0;
+}
+
+/*************************************************************
+* GET & SET PARAM
+**************************************************************/
+/*#Device.NAT.PortTriggerNumberOfEntries!UCI:port-trigger/port_trigger/*/
+int get_NAT_PortTriggerNumberOfEntries(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	int cnt = get_number_of_entries(ctx, data, instance, browseNATPortTriggerInst);
+	dmasprintf(value, "%d", cnt);
+	return 0;
+}
+
+static int get_NATPortTrigger_Alias(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	dmuci_get_section_name(section_name(((struct dm_data *)data)->config_section),value);
+	return 0;
+}
+
+static int get_NATPortTrigger_Enable(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	*value = dmuci_get_value_by_section_fallback_def(((struct dm_data *)data)->config_section, "enable", "0");
+	*value = (**value == 'n' || **value == '0' ) ? "0" : "1";
+	return 0;
+}
+
+static int set_NATPortTrigger_Enable(char *refparam, struct dmctx *ctx, void *data, char *instance, char *value, int action)
+{
+	bool b;
+	time_t now = time(NULL);
+
+	switch (action)	{
+		case VALUECHECK:
+			if (bbfdm_validate_boolean(ctx, value))
+				return FAULT_9007;
+			break;
+		case VALUESET:
+			string_to_bool(value, &b);
+			dmuci_set_value_by_section(((struct dm_data *)data)->config_section, "enable", b ? "1" : "0");
+
+			if (b == 1) {
+				char activation_date[32] = {0};
+
+				strftime(activation_date, sizeof(activation_date), "%Y-%m-%dT%H:%M:%SZ", gmtime(&now));
+				dmuci_set_value_by_section(((struct dm_data *)data)->config_section, "activation_date", activation_date);
+			}
+			break;
+	}
+	return 0;
+}
+
+static int get_NATPortTrigger_Status(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	/*return the admin state of port trigger rule
+	* running status to be updated in later changes*/
+	*value = dmuci_get_value_by_section_fallback_def(((struct dm_data *)data)->config_section, "enable", "0");
+	*value = (**value == 'n' || **value == '0' ) ? "Disabled" : "Enabled";
+	return 0;
+}
+
+static int get_NATPortTrigger_Origin(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	*value = dmuci_get_value_by_section_fallback_def(((struct dm_data *)data)->config_section, "origin", "Controller");
+	return 0;
+}
+
+static int set_NATPortTrigger_Origin(char *refparam, struct dmctx *ctx, void *data, char *instance, char *value, int action)
+{
+	char *Origin[] = {"User", "System", "Controller", NULL};
+
+	switch (action)	{
+		case VALUECHECK:
+			if (bbfdm_validate_string(ctx, value, -1, -1, Origin, NULL))
+				return FAULT_9007;
+			break;
+		case VALUESET:
+			dmuci_set_value_by_section(((struct dm_data *)data)->config_section, "origin", value);
+			break;
+	}
+	return 0;
+}
+
+static int get_NATPortTrigger_Description(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	dmuci_get_value_by_section_string(((struct dm_data *)data)->config_section, "description", value);
+	return 0;
+}
+
+static int set_NATPortTrigger_Description(char *refparam, struct dmctx *ctx, void *data, char *instance, char *value, int action)
+{
+	switch (action)	{
+		case VALUECHECK:
+			if (bbfdm_validate_string(ctx, value, -1, 256, NULL, NULL))
+				return FAULT_9007;
+			break;
+		case VALUESET:
+			dmuci_set_value_by_section(((struct dm_data *)data)->config_section, "description", value);
+			break;
+	}
+	return 0;
+}
+
+static int get_NATPortTrigger_Interface(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	char *interf = NULL;
+
+	dmuci_get_value_by_section_string(((struct dm_data *)data)->config_section, "src", &interf);
+
+	bbf_get_reference_param("Device.IP.Interface.", "Name", interf, value);
+
+	return 0;
+}
+
+static int set_NATPortTrigger_Interface(char *refparam, struct dmctx *ctx, void *data, char *instance, char *value, int action)
+{
+	char *allowed_objects[] = {"Device.IP.Interface.", NULL};
+	struct dm_reference reference = {0};
+
+	bbf_get_reference_args(value, &reference);
+
+	switch (action) {
+		case VALUECHECK:
+			if (bbfdm_validate_string(ctx, reference.path, -1, 256, NULL, NULL))
+				return FAULT_9007;
+
+			if (dm_validate_allowed_objects(ctx, &reference, allowed_objects))
+				return FAULT_9007;
+
+			break;
+		case VALUESET:
+			dmuci_set_value_by_section(((struct dm_data *)data)->config_section, "src", reference.value);
+			break;
+	}
+	return 0;
+}
+
+static int get_NATPortTrigger_Port(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	*value = dmuci_get_value_by_section_fallback_def(((struct dm_data *)data)->config_section, "port", "0");
+	return 0;
+}
+
+static int set_NATPortTrigger_Port(char *refparam, struct dmctx *ctx, void *data, char *instance, char *value, int action)
+{
+	switch (action)	{
+		case VALUECHECK:
+			if (bbfdm_validate_unsignedInt(ctx, value, RANGE_ARGS{{"0","65535"}}, 1))
+				return FAULT_9007;
+			break;
+		case VALUESET:
+			dmuci_set_value_by_section(((struct dm_data *)data)->config_section, "port", value);
+			break;
+	}
+	return 0;
+}
+
+static int get_NATPortTrigger_PortEndRange(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	*value = dmuci_get_value_by_section_fallback_def(((struct dm_data *)data)->config_section, "port_end_range", "0");
+	return 0;
+}
+
+static int set_NATPortTrigger_PortEndRange(char *refparam, struct dmctx *ctx, void *data, char *instance, char *value, int action)
+{
+	char *port;
+	uint16_t s_port, end_port;
+
+	dmuci_get_value_by_section_string(((struct dm_data *)data)->config_section, "port", &port);
+	s_port = DM_STRTOL(port);
+	switch (action)	{
+		case VALUECHECK:
+			if (bbfdm_validate_unsignedInt(ctx, value, RANGE_ARGS{{"0","65535"}}, 1))
+				return FAULT_9007;
+			end_port = DM_STRTOL(value);
+			if (s_port > end_port)
+				return FAULT_9007;
+			break;
+		case VALUESET:
+			dmuci_set_value_by_section(((struct dm_data *)data)->config_section, "port_end_range", value);
+			break;
+	}
+	return 0;
+}
+
+static int get_NATPortTrigger_AutoDisableDuration(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	dmuci_get_value_by_section_string(((struct dm_data *)data)->config_section, "auto_disable_duration", value);
+	return 0;
+}
+
+static int set_NATPortTrigger_AutoDisableDuration(char *refparam, struct dmctx *ctx, void *data, char *instance, char *value, int action)
+{
+	switch (action)	{
+		case VALUECHECK:
+			if (bbfdm_validate_unsignedInt(ctx, value, RANGE_ARGS{{NULL,NULL}}, 1))
+				return FAULT_9007;
+			break;
+		case VALUESET:
+			dmuci_set_value_by_section(((struct dm_data *)data)->config_section, "auto_disable_duration", value);
+			break;
+	}
+	return 0;
+}
+
+static int get_NATPortTrigger_ActivationDate(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	*value = dmuci_get_value_by_section_fallback_def(((struct dm_data *)data)->config_section, "activation_date", "0001-01-01T00:00:00Z");
+	return 0;
+}
+
+static int set_NATPortTrigger_ActivationDate(char *refparam, struct dmctx *ctx, void *data, char *instance, char *value, int action)
+{
+	char activation_date[16] = {0};
+	struct tm tm;
+
+	switch (action)	{
+		case VALUECHECK:
+			if (bbfdm_validate_dateTime(ctx, value))
+				return FAULT_9007;
+			break;
+		case VALUESET:
+			strptime(value, "%Y-%m-%dT%H:%M:%SZ", &tm);
+			snprintf(activation_date, sizeof(activation_date), "%lld", (long long)timegm(&tm));
+			dmuci_set_value_by_section(((struct dm_data *)data)->config_section, "activation_date", activation_date);
+			break;
+	}
+	return 0;
+}
+
+static int get_NATPortTrigger_Protocol(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	dmuci_get_value_by_section_string(((struct dm_data *)data)->config_section, "protocol", value);
+	return 0;
+}
+
+static int set_NATPortTrigger_Protocol(char *refparam, struct dmctx *ctx, void *data, char *instance, char *value, int action)
+{
+	switch (action)	{
+		case VALUECHECK:
+			if (bbfdm_validate_string(ctx, value, -1, -1, NATProtocol, NULL))
+				return FAULT_9007;
+			break;
+		case VALUESET:
+			dmuci_set_value_by_section(((struct dm_data *)data)->config_section, "protocol", value);
+			break;
+	}
+	return 0;
+}
+
+static int get_NATPortTrigger_RuleNumberOfEntries(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	int cnt = get_number_of_entries(ctx, data, instance, browseNATPortTriggerRuleInst);
+	dmasprintf(value, "%d", cnt);
+	return 0;
+}
+
+static int get_NATPortTriggerRule_Alias(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	dmuci_get_section_name(section_name(((struct dm_data *)data)->config_section),value);
+	return 0;
+}
+
+static int get_NATPortTriggerRule_Port(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	*value = dmuci_get_value_by_section_fallback_def(((struct dm_data *)data)->config_section, "port", "0");
+	return 0;
+}
+
+static int set_NATPortTriggerRule_Port(char *refparam, struct dmctx *ctx, void *data, char *instance, char *value, int action)
+{
+	switch (action)	{
+		case VALUECHECK:
+			if (bbfdm_validate_unsignedInt(ctx, value, RANGE_ARGS{{"0","65535"}}, 1))
+				return FAULT_9007;
+			break;
+		case VALUESET:
+			dmuci_set_value_by_section(((struct dm_data *)data)->config_section, "port", value);
+			break;
+	}
+	return 0;
+}
+
+static int get_NATPortTriggerRule_PortEndRange(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	*value = dmuci_get_value_by_section_fallback_def(((struct dm_data *)data)->config_section, "port_end_range", "0");
+	return 0;
+}
+
+static int set_NATPortTriggerRule_PortEndRange(char *refparam, struct dmctx *ctx, void *data, char *instance, char *value, int action)
+{
+
+	char *port;
+	uint16_t s_port, end_port;
+
+	dmuci_get_value_by_section_string(((struct dm_data *)data)->config_section, "port", &port);
+	s_port = DM_STRTOL(port);
+	switch (action)	{
+		case VALUECHECK:
+			if (bbfdm_validate_unsignedInt(ctx, value, RANGE_ARGS{{"0","65535"}}, 1))
+				return FAULT_9007;
+			end_port = DM_STRTOL(value);
+			if (s_port > end_port)
+				return FAULT_9007;
+			break;
+		case VALUESET:
+			dmuci_set_value_by_section(((struct dm_data *)data)->config_section, "port_end_range", value);
+			break;
+	}
+	return 0;
+}
+
+static int get_NATPortTriggerRule_Protocol(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	dmuci_get_value_by_section_string(((struct dm_data *)data)->config_section, "protocol", value);
+	return 0;
+}
+
+static int set_NATPortTriggerRule_Protocol(char *refparam, struct dmctx *ctx, void *data, char *instance, char *value, int action)
+{
+	switch (action)	{
+		case VALUECHECK:
+			if (bbfdm_validate_string(ctx, value, -1, -1, NATProtocol, NULL))
+				return FAULT_9007;
+			break;
+		case VALUESET:
+			dmuci_set_value_by_section(((struct dm_data *)data)->config_section, "protocol", value);
+			break;
+	}
+	return 0;
+}
+
+/**********************************************************************************************************************************
+*                                            OBJ & PARAM DEFINITION
+***********************************************************************************************************************************/
+
+DMLEAF tNATPortTriggerParams[] = {
+/* PARAM, permission, type, getvalue, setvalue, bbfdm_type */
+{"Alias", &DMREAD, DMT_STRING, get_NATPortTrigger_Alias, NULL, BBFDM_BOTH},
+{"Enable", &DMWRITE, DMT_BOOL, get_NATPortTrigger_Enable, set_NATPortTrigger_Enable, BBFDM_BOTH},
+{"Status", &DMREAD, DMT_STRING, get_NATPortTrigger_Status, NULL, BBFDM_BOTH},
+{"Origin", &DMWRITE, DMT_STRING, get_NATPortTrigger_Origin, set_NATPortTrigger_Origin, BBFDM_BOTH},
+{"Description", &DMWRITE, DMT_STRING, get_NATPortTrigger_Description, set_NATPortTrigger_Description, BBFDM_BOTH},
+{"Interface", &DMWRITE, DMT_STRING, get_NATPortTrigger_Interface, set_NATPortTrigger_Interface, BBFDM_BOTH, DM_FLAG_REFERENCE},
+{"Port", &DMWRITE, DMT_UNINT, get_NATPortTrigger_Port, set_NATPortTrigger_Port, BBFDM_BOTH},
+{"PortEndRange", &DMWRITE, DMT_UNINT, get_NATPortTrigger_PortEndRange, set_NATPortTrigger_PortEndRange, BBFDM_BOTH},
+{"AutoDisableDuration", &DMWRITE, DMT_UNINT, get_NATPortTrigger_AutoDisableDuration, set_NATPortTrigger_AutoDisableDuration, BBFDM_BOTH},
+{"ActivationDate", &DMWRITE, DMT_TIME, get_NATPortTrigger_ActivationDate, set_NATPortTrigger_ActivationDate, BBFDM_BOTH},
+{"Protocol", &DMWRITE, DMT_STRING, get_NATPortTrigger_Protocol, set_NATPortTrigger_Protocol, BBFDM_BOTH},
+{"RuleNumberOfEntries", &DMREAD, DMT_UNINT, get_NATPortTrigger_RuleNumberOfEntries, NULL, BBFDM_BOTH},
+{0}
+};
+
+/* *** Device.NAT.PortTrigger.{i}.Rule.{i}. *** */
+DMLEAF tNATPortTriggerRuleParams[] = {
+/* PARAM, permission, type, getvalue, setvalue, bbfdm_type */
+{"Alias", &DMREAD, DMT_STRING, get_NATPortTriggerRule_Alias, NULL, BBFDM_BOTH},
+{"Port", &DMWRITE, DMT_UNINT, get_NATPortTriggerRule_Port, set_NATPortTriggerRule_Port, BBFDM_BOTH},
+{"PortEndRange", &DMWRITE, DMT_UNINT, get_NATPortTriggerRule_PortEndRange, set_NATPortTriggerRule_PortEndRange, BBFDM_BOTH},
+{"Protocol", &DMWRITE, DMT_STRING, get_NATPortTriggerRule_Protocol, set_NATPortTriggerRule_Protocol, BBFDM_BOTH},
+{0}
+};
+
+/* *** Device.NAT.PortTrigger.{i}. *** */
+DMOBJ tNATPortTriggerObj[] = {
+/* OBJ, permission, addobj, delobj, checkdep, browseinstobj, nextdynamicobj, dynamicleaf, nextobj, leaf, linker, bbfdm_type, uniqueKeys */
+{"Rule", &DMWRITE, addObjNATPortTriggerRule, delObjNATPortTriggerRule, NULL, browseNATPortTriggerRuleInst, NULL, NULL, NULL, tNATPortTriggerRuleParams, NULL, BBFDM_BOTH, NULL},
+{0}
+};